As incidents of cybercrime increase, forward-thinking healthcare organizations and the companies that support them are looking for ways to minimize the risk of becoming a victim of these illegal activities.
One solution that has become more popular is third-party assurance and advisory services such as SOC 2®. What does SOC 2 really mean, what is involved in achieving this status, what is the value of SOC 2 for healthcare companies, and where does SOC 2 fall short for these organizations?
SOC 2 for Healthcare – Sorting the SOCs
The first task is to decode a few acronyms. The SOC in SOC 2 stands for Systems and Controls. These voluntary compliance standards (SOC 1®, SOC 2®, SOC 3®) were established by the AICPA (American Institute of Certified Professional Accountants) as third-party audit reports to meet the needs of a broad range of users that need detailed information and assurance about the controls at service organizations, such as software-as-a-service (SaaS) companies.
SOC 1 focuses primarily on the financial controls within an organization, while SOC 2 examines the “…security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
SOC 1 and SOC 2 audits are further broken down into Type 1 or Type 2. Type 2 audits are much more in-depth than type one and are generally considered to be of greater value to a company and its clients. For the purposes of this discussion, all mentions of SOC 2 refer to the SOC 2 Type 2 audit.
SOC 3 reports contain the same information as SOC 2 reports, but the information is presented for a general audience rather than an informed one. SOC 3 reports can be generally distributed, unlike SOC 1 or SOC 2, which are intended for restricted audiences.
The AICPA also offers SOC for Cybersecurity, which provides services similar to their SOC 2 audits for businesses, non-profits, and other non-service organizations. SOC for Supply Chain focuses explicitly on that industry.
SOC 2 for Healthcare – Meeting the Standard
SOC 2 was introduced with the explicit purpose of addressing the need of companies to externally validate and communicate their state of security using the AICPA’s TSC (Trust Services Criteria) as the measuring stick. TSC includes security measures such as encryption, access controls, two-factor authentication, and firewalls.
An outside auditor determines whether a service organization ensures that they and their service providers securely manage customer data, using the SOC 2 standards as a guide. “Customer data” is a broad category of information that includes personal information, financial information, and other information tied to specific individuals.
At the end of the auditing process, the SOC 2 auditor issues a report. This report provides detailed information about a service organization’s security, availability, processing integrity, confidentiality, and/or privacy controls.
SOC 2 for Healthcare – The Value of Knowing
Achieving SOC 2 compliance is an intensive process that usually requires a significant investment of time, resources, and dollars. Depending upon the size of the organization and the complexity of its systems, the cost of the auditing process can run as high as six figures, and it may take a year to complete.
As a result, the reports provide detailed information about the actual effectiveness of an organization’s security posture, controls, and systems. It can expose potential vulnerabilities that could result in breaches. The savings realized by preventing a data breach could far exceed the cost of an audit, not to mention the value of protecting an organization’s reputation.
Security-conscious organizations prefer to work with SaaS providers that are SOC 2 compliant, and some will not entrust customer data to companies that have not earned this designation.
SOC 2 for Healthcare – The Missing Piece
Achieving SOC 2 compliance is a significant accomplishment for any service provider in healthcare. But the full value of SOC 2 can only be realized if it is built upon an effective HIPAA compliance program.
One crucial difference between SOC 2 Compliance and HIPAA Regulations is that HIPAA’s requirements are not voluntary. They carry the full force of federal law, and failure to comply with HIPAA rules can expose a company to severe civil and even criminal penalties.
One of the primary reasons HIPAA was enacted was to protect the privacy and security of patient health information. HIPAA regulations identify 18 items classified as protected health information (PHI) that must be protected, whether in physical form or electronic format (ePHI).
This information is generally created by covered entities such as healthcare providers, insurance companies, or healthcare data clearinghouses. When covered entities use vendors to store, process, analyze, or use PHI and ePHI, those vendors are considered to be business associates under HIPAA regulations.
The regulations require any covered entities or business associates who possess HIPAA information to be fully HIPAA compliant. It also requires business associate agreements (BAAs) to be signed before PHI is transmitted to business associates. These BAAs should clearly define the responsibilities of each party regarding the appropriate measures to safeguard protected health information and electronic protected health information.
PHI is more narrowly defined than SOC 2 “consumer data” standard. While there will likely be overlap between the two data groups, you cannot assume that SOC 2 will automatically treat PHI in a fully HIPAA compliant manner.